From 9fcbb6398f778dfa1b46832dd680f72a7d1b62e3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 04 2018 00:55:34 +0000 Subject: * Sun Nov 04 2018 Lukas Vrabec - 3.14.3-11 - Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) - Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) - Add dac_override capability to ftpd_t domain - Allow gpg_t to create own tmpfs dirs and sockets - Allow rhsmcertd_t domain to relabel cert_t files - Add SELinux policy for kpatch - Allow nova_t domain to use pam - sysstat: grant sysstat_t the search_dir_perms set - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) - Allow systemd_logind_t to read fixed dist device BZ(1645631) - Allow systemd_logind_t domain to read nvme devices BZ(1645567) - Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981) - kernel/files.fc: Label /run/motd.d(/.*)? as etc_t - Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) - Allow X display manager to check status and reload services which are part of x_domain attribute - Add interface miscfiles_relabel_generic_cert() - Make kpatch policy active - Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs - Dontaudit sys_admin capability for netutils_t domain - Label tcp and udp ports 2611 as qpasa_agent_port_t --- diff --git a/selinux-policy.spec b/selinux-policy.spec index 2b8f20f..d8eec8b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 2d39d24bc2473eac94a5ccdfa373e29db041d3fd +%global commit0 a46eac200fe1261c59d4093721e3539139a1e45e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 a69f9e63d83dd5f603147ddf7a349e075c80959d +%global commit1 6c30b43e6935ef82dc07dc56f4cbcb220ec814aa %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -709,6 +709,28 @@ exit 0 %endif %changelog +* Sun Nov 04 2018 Lukas Vrabec - 3.14.3-11 +- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) +- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) +- Add dac_override capability to ftpd_t domain +- Allow gpg_t to create own tmpfs dirs and sockets +- Allow rhsmcertd_t domain to relabel cert_t files +- Add SELinux policy for kpatch +- Allow nova_t domain to use pam +- sysstat: grant sysstat_t the search_dir_perms set +- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) +- Allow systemd_logind_t to read fixed dist device BZ(1645631) +- Allow systemd_logind_t domain to read nvme devices BZ(1645567) +- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981) +- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t +- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) +- Allow X display manager to check status and reload services which are part of x_domain attribute +- Add interface miscfiles_relabel_generic_cert() +- Make kpatch policy active +- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs +- Dontaudit sys_admin capability for netutils_t domain +- Label tcp and udp ports 2611 as qpasa_agent_port_t + * Tue Oct 16 2018 Lukas Vrabec - 3.14.3-10 - Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786) diff --git a/sources b/sources index b670d9b..9bd4afc 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-2d39d24.tar.gz) = 0b25543fa70599a6086336fa90edf69acda23d7c5df861a88b5733e7c14947e5f05a178e7f8fb5ebc8da9c90c1a45a746265c9ced677f4887c5267252d0e59b4 -SHA512 (selinux-policy-contrib-a69f9e6.tar.gz) = c62e676a671e7972ea21e29c2b63c773d52364abc578aea4a5d58d283311dcef8fa8ea5f835802e2672a8ee0ee182c7d3d548df9de09df400d7dddc4ad26efce -SHA512 (container-selinux.tgz) = 4551b22581627050aa1e3bb3af025f22203d6d551d2e45e364bd702b4ca89253c6c47bb32fdf8e80727a8586defbfcd0d52e2a612d97a22d8f76217666c7f864 +SHA512 (selinux-policy-a46eac2.tar.gz) = 88cf4f6801637eed42327796358b74c5db660d2f029c44693149e7339c595736a957626d2302b582fa11a628c655425ee819fabdb21551f819a253edb550f1d4 +SHA512 (selinux-policy-contrib-6c30b43.tar.gz) = fb6cc12a4547a61daedb140f07a0858edc584124442d4010849cf7a5dd8b421ea35825c428b9f4ca7fe6d0ef2ec99cd0798112545911fe5c42cfa55139533347 +SHA512 (container-selinux.tgz) = 7efc8fce110a6ae7ecb4574d7c9a2929997e23e31484924c74b37275121cde680311e46ec44fbdef8a8de89fca46b0c29811ab1a497627330ccf4021ddc47ec7